Transformations on conjunctions - Malleable Proof Systems and Applications

Before we discuss transformations on conjunctions, we need the following additional definition:

Definition B.2. We say a valid transformation T preserves 1...˜n and 1...m˜ if it can be ex- pressed as a set of basic operations which does not include RemoveVar(X[i]) for any i ∈ [1...˜n]

Note that all of our derived operations can be described by a set of basic operations which does not include running RemoveVar on any of the input variables, so a transformation described in terms of these derived operations that doesn’t explicitly callRemoveVaron any of the mentioned variables will also preserve those variables.

Now we are ready to present our theorem describing transforms on conjunctions:

Theorem B.3. For any pair of valid transformationsT0 andT1 that preserve1...m˜ and 1...n˜, we

derive a transformation Lift(T0, T1) such that

Lift(T0, T1; ˜m,n˜)(And(x0, x1; ˜m,n˜)) =And(T0(x0), T1(x1); ˜m,˜n).

Proof. Suppose we are givenT0 andT1. W.l.o.g. we will consider how to generate a transformation

which, given And(x0, x1; ˜m,n˜), will produce And(T0(x0), x1; ˜m,˜n); the second transformation can

then be implemented analogously.

Let x0 = (eq(0)₁ , . . . ,eq_`(0)₀ , A(0), B(0)) and x1 = (eq(1)₁ , . . . ,eq(1)_`₁ , A(1), B(1)). And(x0, x1) =

(eq0(0)₁ , . . . ,eq0(0)_` 0 ,eq 0(1) 1 , . . . ,eq 0(1) `1 , A 0_{, B}0_).

Given a conjunction proof π ← P(σcrs,And(x0, x1; ˜m,n˜),Andw(w0, w1; ˜m,n˜)) we consider now

how to apply the transformation T0 to the left-hand side of of the proof. We will show how this

can be done for each of our basic operations; as any valid transformation can be represented as a set of basic operations, this will be sufficient to show the theorem.

1. Merge Equations: Lift(T

MergeEq(eq(0)_i ,eq(0)_j ), Tid) executes theMergeEq(eq

0(0)

i ,eq0

(0)

j ) operation.

2. Merge Variables: Let x=xi1, y =xi2,z=xi3 (once it’s created) and S={ys1, . . . ys|S|}. Let

i0₁, i0₂,i0₃,{s0

1, . . . s0|S|}be the position of the lifted variables. This does not affect the other side of the ‘and’ as shared variables are excluded. Lift(TMergeVar(x,y,z,S), Tid) usesMergeVar(X0[i01],

X0[i0₂], X0[i0₃],{Y0_[_s0

i]} m0

i=1) to generate the equations “e(x, w)−1e(y, w)−1e(z, w) = 1” forw∈S

that will be added to{(eq0(0)_i }`0

i=1Finally,RemoveEqandRemoveVarare used to remove unused

equations and variables.

3. Exponentiate Variables: Let x =xie, z=xie (once it’s created),S ={ys1, . . . ys|S|}. Let i 0

i0_z,{s0₁, . . . s0_|_S_|} be the position of the lifted variables. This does not affect the other side of the ‘and’ as shared variables are excluded. LR(T_ExpVar(_x,δ,z,S₎, Tid) usesExpVar(X0[i0e], δ, X0[i0z],

{Y0[s0j]}

|S|

j=1) to obtain the equations corresponding to “e(x, w)

−δ_e₍_{z, w}_{) = 1”. Finally,}_RemoveEq

and RemoveVar are used to remove unused equations and variables.

4. Add Constant Equation: LR(TAdd({ai},{bj},{γij}), Tid) executes an Add({ai},{bj},{γij}) oper-

ation to extend the equations{(eq0(0)_i }`0

i=1 with an additional equation.

5. Remove Equation: LR(T

RemoveEq(eq(0)_i ), Tid) executes the operationRemoveEq(eq

0(0)

i ).

6. Remove Variable: Let x =xir, and let i

r be the position of the lifted variables. This does

not affect the other side of the ‘and’ as shared variables are excluded. Lift(T_RemoveVar(_x₎, Tid)

executes and RemoveVar(X[i0_r]).

C

Proof of Efficient Controlled Malleable NIZK (Theorem 4.5)

Definition C.1. For a relationR and a class of transformations T, we say (R,T) is CM-friendly

if the following six properties hold:

1. Representable statements: any instance and witness of R can be represented as a set of group elements; i.e., there are efficiently computable bijections Fs : LR → Gds for some ds and

Fw :WR→Gdw for some dw where WR:={w| ∃x: (x, w)∈R}.

2. Representable transformations: any transformation in T can be represented as a set of group elements; i.e., there is an efficiently computable bijection Ft:T →Gdt for some dt.

3. Provable statements: we can prove the statement (x, w)∈R (using the above representation for xand w) using pairing product equations; i.e., there is a pairing product statement that is satisfied by Fs(x) andFw(w) iff (x, w)∈R.

4. Provable transformations: we can prove the statement “Tx(x0) = x for T ∈ T” (using the above representations for x and T) using a pairing product equation, i.e. there is a pairing product statement that is satisfied byFt(T), Fs(x), Fs(x0) iff T ∈ T and Tx(x0) =x.

5. Transformable statements: for any T ∈ T, there is a valid transformations(T) that takes the statement “(x, w)∈R” (phrased using pairing products as above) and produces the statement “(Tx(x), Tw(w))∈R.”

6. Transformable transformations: for any T, T0 ∈ T there is a valid transformation t(T) that takes the statement “Tx(x0) = x for T ∈ T” (phrased using pairing products as above) and produces the statement “T_x0◦Tx(x0) =Tx0(x)forT0◦T ∈ T,” and that preserves16the variables in x0.

With this definition suitably formalized, we restate the theorem we would like to prove:

Theorem 4.5. Given a derivation private NIWIPoK for pairing product statements that is malleable for the set of all valid transformations, and a structure preserving signature scheme, we can construct a cm-NIZK for any CM-friendly relation and transformation class (R,T).

Proof. Let (R,T) be a CM-friendly relation and transformation class. Let (Setup_pp,P_pp,V_pp,ZKEvalpp)

be a NIWIPoK for pairing product statements that is malleable for the set of all valid transformations, and let (KeyGen,Sign,VerifySig) be a structure-preserving signature scheme.

Let RWI be the relation {((vk, x),(w, x0, T, σ)) | (x, w) ∈ R ∨ (Verify(vk, σ, x0) = 1∧ x =

T(x0)∧ T ∈ T)} needed by our generic construction. We want to consider an embedding of this language into pairing product equations. Let PPs be the pairing product statement specified by the provable statements requirement, let PPVer be the pairing product equations specified by

the verification algorithm of the structure preserving signature scheme, and let PPt be the pairing product equations specified by the provable transformation requirement. Let PP have variables x, y, z, we writePP(a, b) for the equations in which x, y are constrained by a, b. We have that (x, w) ∈ R iff PPs(Fs(x), Fw(w)) = TRUE, Verify(vk, σ, x0) = 1 iffPPVer(vk, Fs(x0), σ) = TRUE,

andx=T(x0)∧T ∈ T iff (PPt(Fs(x), Fs(x0), FT(T)) =TRUE. PPVerandPPtshare unconstrained

variables Fs(x0), w.l.o.g. we assume that these are the first ˜nvariables of PPVer and PPt. Let t(T)

and s(x) be transformations on transformations respectively instances. We note that, given the above, it will be the case that if we set

xpp=Or(PPs(Fs(x)),And(PPVer(vk),PPt(x); ˜n))

16 _{We say a valid transformation}_T _{preserves a variable}_x_if_T _{can be described by a set of basic operations that}

and

wpp=Orw(PPs(Fs(x)),And(PPVer(vk),PPt(x); ˜n), Fw(w),Andw((Fs(x0), σ),(Fs(x0), FT(T), σ),n˜)),

then (xpp, wpp)∈RPP iff ((vk, x),(w, x0, T, σ))∈RWI. Thus, we can easily implement a NIWIPoK

for the relationRWIas:

Setup(1k): Run Setup_pp(1k) to getσcrs.

P(σcrs, x,(w, x0, T, σ)): Let

xpp =Or(PPs(Fs(x)),And(PPVer(vk),PPt(x); ˜n)) and

wpp=Orw(PPs(Fs(x)),And(PPVer(vk),PPt(x); ˜n), Fw(w),Andw((Fs(x0), σ),(Fs(x0), FT(T), σ),n˜)).

Return the proof π← Ppp(σcrs, xpp, wpp).

V(σcrs, x, π): Computexpp =Or(PPs(Fs(x)),And(PPVer(vk),PPt(Fs(x)); ˜n)). OutputVpp(σcrs, xpp, π).

ZKEval(T, π): LetTs=s(T) and Tt=Lift(id, t(T)). Compute ZKEvalpp(LR(Ts, Tt), π).

From Theorem B.1 and B.3 we have that LR(Ts, Tt) is a valid transformation that transforms an

instance

xpp=Or(PPs(Fs(x)),And(PPVer(vk),PPt(Fs(x)); ˜n)))

into an instance

x0_pp=Or(s(T)(PPs(Fs(x))),And(PPVer(vk), t(T)(PPt(Fs(x),); ˜n))).

The properties ofOrandAndguarantee thatx0_pp∈Lppiff∃w, x0, T0, σ: ((vk, Tx(x)),(w, x0, T0, σ))∈

RWI. In other words for everyT0 = (Tx0, Tw0)∈ T,LR(Ts, Tt) fors(T0) and t(T0) realizes a function

TWI(T0) ∈ TWI. For every TWI(T0) = (TWI,x, TWI,w) we have that TWI,x(vk, x) = (vk, Tx0(x)), and

TWI,w(w, x0, T, σ) = (Tw0(w), x0, T0◦T, σ).

The proof system described above is thus a derivation private NIWIPoK forRWIthat is malleable

with respect toT_WI. We conclude by Theorem 3.2, 3.3 and 3.4.

D

Efficient Instantiations of CM-CCA-Secure Encryption and Com-

pactly Verifiable Shuffles

D.1 BBS encryption

For all of our efficient instantiations involving IND-CPA-secure encryption, we use the Boneh- Boyen-Shacham (BBS) encryption scheme [11], which we recall works as follows:

• KeyGen(1k): Compute a bilinear groupGof some prime orderpwith generatorgand pairing e : G×G → GT. Pick random values α, β

←− Fp and set f := gα and h := gβ. Publish pk := (p, G, GT, g, e, f, h) (or just pk := (f, h) if the group has been specified elsewhere) and

keepsk := (α, β).

• Enc(pk, m): Pick random values r, s←−$ _F_p and compute u := fr, v :=hs, and w:= gr+sm; returnc:= (u, v, w).

• Dec(sk, c): Parse c= (u, v, w) and sk = (α, β); then computem:=u−1/αv−1/βw.

This scheme is multiplicatively homomorphic; to see this, note that we can simply define

Eval(pk,{ci},×) = c1 ·. . .·cn (i.e., the homomorphic operation on ciphertexts is also multipli-

cation). To see that this works we consider two ciphertexts c1 = (fr1, hs1, gr1+s1m1) and c2 =

(fr2_{, h}s2_{, g}r2+s2_m

2), and confirm that computingc1c2= (fr1+r2, hs1+s2, gr1+r2+s1+s2m1m2) does in-

deed give us an encryption ofm1m2. We can similarly define an algorithm forReRand(pk, c) to show

that the scheme is also re-randomizable: given an encryption c = (u := fr, v :=hs, w := gr+sm), we compute a new encryption c0 := (u0, v0, w0) of the same message m by picking r0, s0 ←−$ Fp and

setting u0 := u·fr0 = fr+r0, v0 := v·hs0 = hs+s0, and w0 := w·gr0gs0 = g(r+r0)+(s+s0)m. By Theorem 2.10, BBS encryption is therefore function private (as defined in Definition 2.9).

In document Malleable Proof Systems and Applications (Page 40-44)